Governance, Risk and Compliance Charter

Transcription

1 Governance, Risk and Compliance Charter Charter Owner Director GRC Charter Approver Board of Management Effective date November 15 th, 2013 Date of issue Version Name Title 15 Nov Fokko Kool Group Director Governance Risk & Compliance 1/17

2 Contents 1. Introduction Objective Scope of GRC GRC Organizational structure GRC Function Relation between GRC Function and other Functions Foundation of the GRC organization GRC is the responsibility of every employee Role of management Independence and objectivity Authorities and GRC Function performance Qualifications, experience and skills Collaboration Access Responsibilities on GRC Supervisory Board Audit Committee Board of Management GRC Functions at Group, Divisional and GC&BU level Ethics Committee, Risk Council and Tender Board Ethics Committee Risk Council Tender Review Board Reporting Structure Dual reporting line Periodic and immediate reporting Reporting responsibilities per function at Group level Reporting responsibilities at Divisional or GC&BU level Effective date Annex I: Overview of main responsibilities per Group GRC Function Annex II: Overview of main responsibilities at Divisional and GC&BU level /17

3 1. Introduction Imtech has expanded rapidly over the last 10 years. Recently, Imtech's management concluded that its Governance, Risk and Compliance (hereinafter: GRC) framework was no longer proportional to the size of its business. Additionally, due to the increased complexity of projects, the framework needed to be enhanced. Also, it was clear from the irregularities within Imtech that Imtech's governance and business controls were not sufficiently effective. Due to these reasons, Imtech has strengthened its GRC framework. This GRC Charter formalizes the enhanced Imtech GRC organization. The GRC Charter is intended for (1) employees with a GRC Function at Group level and throughout all Imtech businesses, such as risk managers and compliance officers, (2) Group and Divisional Management, and (3) other Group and Divisional staff functions. 2. Objective The purpose of the GRC Charter is to define the scope, organization, responsibilities and reporting lines of Imtech s GRC framework. This GRC Charter describes the framework and its translation within the Imtech organization. It specifically defines the roles and responsibilities of the Risk Management and Compliance Functions across Imtech s organization. 3/17

4 3. Scope of GRC Imtech has defined the scope of GRC in the Imtech GRC framework in the chart below: The GRC framework reflects three levels, namely (1) Imtech s stakeholders expectations and regulatory requirements require an enhanced GRC approach, (2) the executive level that sets Imtech s strategy and aligns Imtech s vision, values, people and culture, and (3) the GRC organization within Imtech. The latter is described in this GRC Charter and is based on the following principles: Governance Oversight: sets the structure for on-going operation of the governance framework, provides the hierarchy for reporting and monitoring in line with Imtech s decentralized management model; Management System: embeds the governance principles into day to day business activities by setting clear and simple policies, supporting training activities and quality of business controls and performance requirements; 4/17

5 Risk Management: sets the organization s risk appetite on strategic, project, operating and compliance risks and aligns behavior with Imtech s strategy and expectations; and Incident Management: prevents and deters misconduct within the organization by supporting that all matters that may cause harm or damage to the organization s reputation are reported appropriately and are dealt with in a timely and adequate manner. This Charter defines the responsibilities for eight GRC areas to create a structured GRC organization. Those areas are: 1. Risk Management: contains the development and implementation of the Risk Management Policy, process and related tooling; 1. Strategic Risk 2. Project Risk 3. Operating Risk 4. Compliance Risk 2. Governance Oversight: describes the activities required to determine the governance structure and the applicable roles and responsibilities; 1. Governing Bodies 2. Policy Governance 3. Operation Model 3. Policies and Procedures: contains a plan regarding the development and implementation of Imtech group policies and necessary procedures; 4. Training and Awareness: includes the activities that support the development of the right attitudes and behaviors with respect to GRC; 5. Internal Control Framework: implements the Internal Control Framework that substantiates the Internal Control Statements (ICS) and provides management with more assurance on reliable (financial) reporting; 6. Incident Management: focuses on reducing potential damage, such as financial losses and reputational harm, due to incidents (such as fraudulent reporting, misappropriation of assets, bribery, corruption); 7. Internal Audit: enables independent assurance on defined objectives and risks; and 8. Communication and Conformance Reporting: focuses on monitoring the progress of GRC at the organization, including taking corrective actions if necessary. 5/17

6 4. GRC Organizational structure 4.1 GRC Function The Imtech organization consists of three functional levels: (1) Group, (2) Division and (3) Group Companies and Business Units (hereinafter GC&BU s). The Board of Management s GRC operational responsibility is delegated to the Director GRC. The Director GRC leads Risk Management, Internal Audit and Compliance at Group level. Internal Audit solely operates at Group level. Group Risk Management and Group Compliance functionally lead the Divisional level Risk and Compliance Functions respectively. The Divisional Risk and Compliance Functions functionally lead the GC&BU Risk and Compliance Functions respectively. Together, the Director GRC, Group Risk Management, Group Compliance, and the Risk and Compliance Functions form the GRC Function. Supervisory Board and its Audit Committee Group Board of Management Director GRC Group Risk Management Internal Audit Group Compliance Mgr Risk Council and Tender board Ethics Committee Division Risk Management Function Divisional Management Compliance Function GC&BU Risk Management Function GC&BU Management Compliance Function GRC Responsibility for every employee 4.2 Relation between GRC Function and other Functions The GRC Function, besides having its own specific topics in scope, also fulfills an umbrella function within Imtech as several staff functions have their own GRC related responsibilities. This umbrella function consists of coordination of and cooperation with other functions concerning the GRC related areas. The Director GRC is responsible for reporting combined GRC information to the Board of Management and the Audit Committee. 6/17

7 Responsibilities of other staff functions can include: support, investigate, report, inform, follow up and/or monitor on GRC related areas. The responsibilities of other staff functions on GRC include: HR Control Legal Communications & CSR - implement relevant policies in new hire packages - implement monitoring of completion of GRC related training - implement the Internal Control Framework - substantiate the Internal Control Statements aligned with the GRC function - take into account relevant GRC topics in contracts - provide advice on GRC related topics, e.g. competition, on request of the business - support GRC communication within the organization, e.g. via the organization s Group Intranet website - align CSR related indicators with GRC related indicators 7/17

8 5. Foundation of the GRC organization To support the efficacy of the GRC organization, several general foundations have to be set. 5.1 GRC is the responsibility of every employee Every Imtech employee has the responsibility to comply with applicable laws, regulations, standards and internal rules. Management is responsible for identifying and communicating to each employee the minimum GRC requirements in daily business operations. Management will also to reward or sanction employees performance against these requirements. Employees must be aware, understand, and ensure they meet the GRC obligations that impact their daily business operations. 5.2 Role of management At all levels, management must create an environment of individual and collective accountability, meaning the importance of meeting GRC obligations is well understood. Management must provide sufficient resources to its GRC Functions (budget, staffing, etc.) to ensure effective risk management and compliance in the business. Furthermore, management should promote compliance and ethics by example. To support this, GRC will be included in the key performance indicators (KPIs) of Management. 5.3 Independence and objectivity Independence and objectivity are essential elements to ensuring the effectiveness of the GRC organization. Members of the Imtech GRC Function display independence and objectivity from the business activities of their Group, Division and GC&BU creating countervailing powers which helps to avoid conflicts of interest. 5.4 Authorities and GRC Function performance Imtech employees with a Risk and Compliance Function are appointed by the business in accordance with the designed profile by the GRC Function. Decisions regarding hiring, appraisals, terms of employment and dismissal will be taken by the relevant manager together with the Group Director GRC. The GRC Function will monitor the performance of the Risk and Compliance Function on divisional level based on the responsibilities described in this GRC Charter. 5.5 Qualifications, experience and skills Individuals who serve in an Imtech GRC Function must have the necessary qualifications, experience and professional and personal skills to enable them to carry out their responsibilities effectively. They must have an overall understanding of Imtech and the 8/17

9 commercial operation of its business. They must also understand the obligations, legislation and standards that impact Imtech s business. 5.6 Collaboration The GRC Function collaborates with other functions to ensure optimal leverage with existing approaches and methodologies. Responsibilities of other staff functions can include: supporting, investigating, reporting, informing, following up and/or monitoring GRC related areas. 5.7 Access The GRC Function must, at all times, have unrestricted and direct access (in accordance with local laws and regulations) to all activities in their area of responsibility. This includes access to all documentation and systems, e.g. complaints register, whistleblower reports and files. 9/17

10 6. Responsibilities on GRC 6.1 Supervisory Board Imtech s Supervisory Board is responsible for supervising the policies of the Board of Management and the general affairs of the company, as well as providing advice to the Board of Management. The Supervisory Board is responsible for supervising the Board of Management with regard to the design and efficacy of the internal risk management and control systems, risks inherent to the business activities and compliance with laws, regulations and internal rules from a GRC Function perspective Audit Committee The Supervisory Board established an Audit Committee from amongst its members. The Audit Committee has specific responsibilities and tasks for which it advises the Supervisory Board. The Audit Committee specifically focuses on internal risk management and control systems, internal audit process and supervision of the compliance with relevant legislation and regulations. With regards to Risk Management, Compliance and Internal Audit, the Audit Committee s supervision responsibilities are described in more detail in Imtech s Audit Committee Charter. 6.2 Board of Management The Board of Management manages Imtech, which means that it is responsible for achieving Imtech s aims, the strategy and associated risk profile, the development of results and stakeholder s issues that are relevant to the company. To meet the Board of Management GRC responsibilities, the Board of Management appointed a Director GRC to manage the GRC Function. The Board of Management should : promote compliance and ethics by leading by example provide sufficient resources to its GRC Function (budget, staffing, etc.) for effective GRC management in the business. ensures the operation of an Ethics Committee. ensures the operation of a Tender Review Board 10/17

11 6.3 GRC Functions at Group, Divisional and GC&BU level The GRC Functions at Group level consist of the Director GRC, the Internal Audit Department, Group Risk Management and the Group Compliance Manager. An overview of the main responsibilities per Group GRC Function Director GRC, Group Risk Management, Group Compliance Manager and Internal Audit is provided for in Annex I. An overview of the main responsibilities per Divisional and GC&BU GRC Function Risk Management Function and Compliance Function is provided for in Annex II. 11/17

12 7. Ethics Committee, Risk Council and Tender Board The composition, structure and role of the Ethics Committee, Risk Council and Tender Review Board are described in this Chapter. 7.1 Ethics Committee The Ethics Committee facilitates the enforcement of the Code of Conduct and other compliance activities as well as focuses on critical compliance and ethics misconduct. When suspected misconduct is reported to the Ethics Committee, the investigation is conducted under its guidance. The Ethics Committee may also request the Internal Audit Department to conduct a special purpose engagement. The Ethics Committee is chaired by the Director GRC and consists of senior executives (at least: Corporate Secretary and Head of Internal Audit). The Ethics Committee will discuss ethical misconduct and investigations on a regular basis and as circumstances require. 7.2 Risk Council The Risk Council coordinates and aligns Imtech s risk management with its common practices. The Risk Council evaluates the Risk Management Process and discusses the interpretation of the Risk Management Policy, Divisions Risk Manuals and related Risk Management procedures, when needed. The Risk Council is chaired by the Director GRC and consists of the Group Risk Managers and Divisional Risk Managers. The Risk Council will meet on a regular basis. 7.3 Tender Review Board The Tender Review Board oversee the tender procedures for new projects and approve projects above certain contract value as defined in the Autorisation Matrix. The Tender Review Board at Group level is consisting of, among others, a member of the Board of Management and the Director GRC. 12/17

13 8. Reporting Structure 8.1 Dual reporting line Within Imtech, a dual reporting line is in place to management and the GRC Function. This dual reporting consists of operational reporting to the relevant manager and functional reporting to the relevant GRC Function. This dual reporting structure with a separate functional reporting line supports independence of the GRC Functions from business activities and assists in avoiding potential conflicts of interest. Audit Committee GROUP LEVEL Board of Management (CFO) Group Risk Managers Director GRC Internal Audit Group Compliance Manager DIVISIONAL LEVEL Divisional Management Risk Management Function Compliance Function GC&BU LEVEL GC&BU Management Risk Management Function Compliance Function Functional Reporting Operational Reporting 8.2 Periodic and immediate reporting Imtech distinguishes between periodic reporting and immediate reporting. Periodic reporting consists of general updates, summaries or overviews that allow the operational or functional higher level to take its GRC related responsibilities. In exceptional cases, such as in case of serious misconduct (as described in the Incident Management Policy), a report will be send immediately to the Director GRC. 13/17

14 8.3 Reporting responsibilities per function at Group level Director GRC: The Director GRC reports on a regular basis to the Board of Management. The report can include information on, but not limited to, the following: the roll out of the GRC year plan, upcoming GRC activities and follow up activities; and summary of the reports of, developments in and correlation between Risk Management, Compliance and Internal Audit, including, e.g., a summary of (suspected) misconduct cases, proceedings on investigations and follow up. In case of serious misconduct, the Director GRC reports immediately to the Board of Management and the Audit Committee. Group Risk Management: The Group Risk Managers report on a regular basis to the Director GRC. The report can include information on, but not limited to, the following: developments on the Group Risk Management Policy and Division Risk Manuals, tools and methodologies (including training on Risk Management); the progress on risk assessments at divisional and GC&BU levels; and the projects that require Authorization To Proceed (ATP). Group Compliance Manager: The Group Compliance Manager reports on a regular basis to the Director GRC. The report can include information on, but not limited to, the following: reports on (suspected) misconduct cases and proposed remedial and corrective actions; compliance progress, monitoring and follow up activities; significant regulatory changes in the field of compliance; and proposed changes in compliance related policies and other documents. Internal Audit Department: The Head of Internal Audit reports to the Director GRC, the Board of Management and the Audit Committee on a regular basis. The report can include information on, but not limited to, the following: the progress regarding audit planning and audit execution; the Internal Audit coverage in accordance with the agreed Audit Plan; 14/17

15 delivery of audit services against the agreed audit plan; and a summary of results of the audit function s work. 8.4 Reporting responsibilities at Divisional or GC&BU level The Risk Management Function and the Compliance Function at Divisional or GC&BU level will provide the Group Risk Management and Compliance Management updates on a regular basis as well as specific information requested by the Group Risk Management, Compliance Management and Director GRC. In case of serious misconduct, the Divisional or GC&BU Compliance Function reports immediately to the Group Risk Management and Compliance Management and Director GRC. 9. Effective date This GRC Charter takes effect on November 15th, /17

16 Annex I: Overview of main responsibilities per Group GRC Function Responsibilities Director GRC Group Risk Management Group Compliance Manager Group Internal Audit - Develop, implement and maintain the GRC charter, plan and activities - Ensure an independent Risk Management, Compliance and Internal Audit Function at Group level and be involved in decisions regarding hiring, appraisals, terms of employment and dismissal of Divisional Risk Function and Compliance Function. - Review and approve GRC related policies and monitor the implementation and maintenance of these policies. - Coordinate the Tender Review Board process. - Coordinate the incident management process and the investigations conducted under the guidance of the Ethics Committee. - Monitor management effectiveness in incorporating GRC into the organization and regular management activities. - Report the status of GRC activities to the Board of Management and Audit Committee. - Develop, implement and maintain the Group Risk Management Policy. - Review the Division Risk Manuals and ensure they are in line with the Group Risk Management Policy and related procedures. - Advise on Authorization To Proceed (ATP) Projects. - Provide the Board of Management and Director GRC with a weekly report on ATP projects. - Oversee the tender procedures for new projects. - Coordinate training in risk management for target groups at Group and Division level in coordination with Divisional Risk Managers. - Evaluate the RM implementation within each division as well as how this implementation complies with the RM Policy - Report to the Director GRC. - Develop, implement and maintain compliance related policies. - Review the Division compliance procedures and ensure they are in line with the Group compliance related policies. - Perform compliance risk analyses as input for Group compliance activities. - Monitor reports on (suspected) misconduct cases, follow up on reported incidents and proposed remedial and corrective actions. - Coordinate training in compliance for target groups at Group and Division level in coordination with Divisional Compliance Functions. - Evaluate the implementation of compliance within each division as well as how this implementation complies with the compliance related policies. - Determine follow up activities and report to the Director GRC. - Develop, implement and maintain the Group Internal Audit Charter. - Examine and evaluate the adequacy and efficacy of internal controls in case of assurance services. - Support or execute the investigation of an incident. - Evaluate and improve the effectiveness of project risk management, internal control and governance processes. - Execute and monitor the delivery of audit services against the agreed audit plan (including ad hoc special purpose engagements). - Summarize and present results of the Internal Audit function s work and discuss these with the Board of Management and Audit Committee. 16/17

17 Annex II: Overview of main responsibilities at Divisional and GC&BU level Responsibilities Risk Management Function - Develop, implement and maintain risk management plan at Divisional and GC&BU level in accordance with this GRC Charter and the Group Risk Management Policy. - Develop, implement and maintain Divisional Risk Manual and Divisional or GC&BU risk management procedures to support this and ensure they are in line with the Group Risk Management Policy and related procedures. - Facilitate and participate in the project risk management process and coordinate that risk mitigation actions are taken at Division, GC and/or BU level. - Advice on Authorization To Proceed (ATP) Projects. - Provide the Divisional Management with report on ATP projects on a regular basis. - Organize training in risk management for target groups at Division and GC&BU level in coordination with Group Risk Management. - Report updates to the Group Risk Managers and provide specific information on request of the Group Risk Managers and/or Director GRC. Compliance Function - Develop, implement and maintain compliance plan at Divisional and GC&BU level in accordance with this GRC Charter and compliance related policies. - Develop, implement and maintain Divisional and GC&BU compliance procedures to support this and ensure they are in line with the Group compliance related policies. - Perform compliance risk analyses as input for Group compliance activities. - Monitor reports on (suspected) misconduct cases, follow up on reported incidents and proposed remedial and corrective actions. - Organize training in compliance for target groups at Division and GC&BU level in coordination with Group Compliance Manager. - Report updates to the Group Compliance Manager and provide specific information on request of the Group Compliance Manager and/or Director GRC. - In case of serious misconduct, immediate report to the Director GRC. 17/17